From f4dc62f33be095e5ceb9ae7a75c3e97bbb8edfcb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 22 Mar 2019 15:42:10 +0100 Subject: [PATCH] With update-check-ksk also consider offline keys The option `update-check-ksk` will look if both KSK and ZSK are available before signing records. It will make sure the keys are active and available. However, for operational practices keys may be offline. This commit relaxes the update-check-ksk check and will mark a key that is offline to be available when adding signature tasks. (cherry picked from commit 3cb8c49c73906b28921012619a3bb87805613b81) --- CHANGES | 4 ++++ lib/dns/zone.c | 12 ++++-------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 466cdab47a..287b83ea66 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ recursion was requested by the client, not on whether recursion was available. [GL #963] +5209. [bug] When update-check-ksk is true, add_sigs was not + considering offline keys, leaving record sets signed + with the incorrect type key. [GL #763] + 5208. [test] Run valid rdata wire encodings through totext+fromtext and tofmttext+fromtext methods to check these methods. [GL #899] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index f1d61771ac..2131daa14c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8869,9 +8869,6 @@ zone_sign(dns_zone_t *zone) { if (!dst_key_isprivate(zone_keys[i])) { continue; } - /* - * Should be redundant. - */ if (dst_key_inactive(zone_keys[i])) { continue; } @@ -8915,11 +8912,10 @@ zone_sign(dns_zone_t *zone) { { continue; } - if (!dst_key_isprivate(zone_keys[j])) { - continue; - } - /* - * Should be redundant. + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. */ if (dst_key_inactive(zone_keys[j])) { continue;